How Amazon Simple Email Service (Amazon SES) Uses AWS KMS

You can use Amazon Simple Email Service (Amazon SES) to receive email, and (optionally)
to encrypt the received
email messages before storing them in an Amazon Simple Storage Service (Amazon S3)
bucket that you choose. When you
configure Amazon SES to encrypt email messages, you must choose the KMS customer master
key (CMK)
under which Amazon SES encrypts the messages. You can choose the default CMK in your
account for
Amazon SES with the alias aws/ses, or you can choose a custom CMK
that you created separately in AWS KMS.

Overview of Amazon SES Encryption Using AWS KMS

When you configure Amazon SES to receive email and encrypt the email messages before
saving
them to your S3 bucket, the process works like this:

You create a receipt
rule for Amazon SES, specifying the S3 action, an S3 bucket for storage, and a KMS
customer master key (CMK) for encryption.

Amazon SES receives an email message that matches your receipt rule.

Amazon SES requests a unique data key encrypted with the KMS CMK that you specified
in the
applicable receipt rule.

AWS KMS creates a new data key, encrypts it with the specified CMK, and then sends
the
encrypted and plaintext copies of the data key to Amazon SES.

Amazon SES uses the plaintext data key to encrypt the email message and then removes
the
plaintext data key from memory as soon as possible after use.

Amazon SES puts the encrypted email message and the encrypted data key in the specified
S3
bucket. The encrypted data key is stored as metadata with the encrypted email
message.

To accomplish Step 3 through Step 6, Amazon SES uses the AWS–provided Amazon S3 encryption
client. Use the same client to retrieve your encrypted email messages from Amazon
S3 and decrypt
them. For more information, see Retrieving and Decrypting Email Messages.

Amazon SES Encryption Context

When Amazon SES requests a data key to encrypt your received email messages (Step 3 in the Overview of Amazon SES Encryption Using AWS KMS), it includes encryption context in the request. The
encryption context provides additional authenticated information that AWS KMS uses
to ensure
data integrity. The encryption context is also written to your AWS CloudTrail log
files, which can
help you understand why a given customer master key (CMK) was used. Amazon SES uses
the following
for the encryption context:

The ID of the AWS account in which you've configured Amazon SES to receive email
messages

The rule name of the Amazon SES receipt rule that invoked the S3 action on the email
message

The Amazon SES message ID for the email message

The following example shows a JSON representation of the encryption context that Amazon
SES
uses:

You can use the default customer master key (CMK) in your account for Amazon SES with
the alias
aws/ses, or you can use a custom CMK you create. If you use
the default CMK for Amazon SES, you don't need to perform any steps to give Amazon
SES permission to use
it. However, to specify a custom CMK when you add the S3 action to your Amazon SES
receipt rule, you must ensure that Amazon SES has permission to use the CMK to encrypt
your email
messages. To give Amazon SES permission to use your custom CMK, add the following
statement to your
CMK's key policy:

Replace ACCOUNT-ID-WITHOUT-HYPHENS with the
12-digit ID of the AWS account in which you've configured Amazon SES to receive email
messages.
This policy statement allows Amazon SES to encrypt data with this CMK only under these
conditions:

Amazon SES must specify aws:ses:rule-name and aws:ses:message-id
in the EncryptionContext of their AWS KMS API requests.

Amazon SES must specify aws:ses:source-account in the
EncryptionContext of their AWS KMS API requests, and the value for
aws:ses:source-account must match the AWS account ID specified in the key
policy.

Retrieving and Decrypting Email Messages

Amazon SES does not have permission to decrypt your encrypted email messages and cannot
decrypt
them for you. You must write code to retrieve your email messages from Amazon S3 and
decrypt them.
To make this easier, use the Amazon S3 encryption client. The following AWS SDKs include
the Amazon S3
encryption client:

The Amazon S3 encryption client simplifies the work of constructing the necessary
requests to
Amazon S3 to retrieve the encrypted email message and to AWS KMS to decrypt the message's
encrypted
data key, and of decrypting the email message. For example, to successfully decrypt
the
encrypted data key you must pass the same encryption context that Amazon SES passed
when requesting
the data key from AWS KMS (Step 3 in the Overview of Amazon SES Encryption Using AWS KMS). The Amazon S3 encryption
client handles this, and much of the other work, for you.

For sample code that uses the Amazon S3 encryption client in the AWS SDK for Java
to do client-side
decryption, see the following: